[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT
Gareth Palmer
gareth at acsdata.co.nz
Sun Nov 24 23:55:54 EET 2013
On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
> On 22.11.2013, at 9.22, Patrick Ben Koetter <p at sys4.de> wrote:
>
> > * Timo Sirainen <dovecot at dovecot.org>:
> >> On 22.11.2013, at 0.35, Gareth Palmer <gareth at acsdata.co.nz> wrote:
> >>
> >>> The following patch adds support for enabling
> >>> MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
> >>>
> >>> It makes the mysql client library check that the commonName in the
> >>> server's SSL certificate matches the host name provided to
> >>> mysql_real_connect() and aborts the connection if the name doesn't
> >>> match.
> >>
> >> If someone goes through the trouble of using SSL with MySQL .. should this
> >> even be optional? I guess I shouldn’t break any v2.2 installations even
> >> accidentally, but for v2.3 I don’t really see any point of not having this
> >> enabled unconditionally.
> >
> > It should be optional or it will break other running systems when the
> > update/upgrade.
>
> But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
Attached is revised patch the defaults to verifying the cert.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl-verify-server-cert-20131120.patch
Type: text/x-patch
Size: 4615 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131125/8a94dee4/attachment-0001.bin>
More information about the dovecot
mailing list